CVE-2022-4237
Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.8EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
02 ene 2023Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Unknown · Welcart e-Commerce¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →